ipv6 adoption (HE & DNSSEC)

[Timothe Litt]

On 17-Feb-22 04:06, G.W. Haywood wrote:
> Hi Grant,
>
> On Thu, 17 Feb 2022, Grant Taylor wrote:
>
>> Please clarify if you are talking about DNSSEC for your own zone that 
>> they are doing secondary transfers of or if you are talking about 
>> DNSSEC for the IPv6's reverse DNS namespace that they delegate to you.
>
> Ah, good point Grant.
>
> The reverse zones are delegated to us but they aren't signed.
>
Yes, the issue with HE is that while they will delegate reverse zones to 
you, they don't accept DS records.  So you can sign your zones, but 
there is no signature chain to the root.

Before ISC retired DLV, it was possible to use that path - and I did.  
But unfortunately that ship has sailed.

dnsviz shows that HE hasn't signed its reverse zone.  That would be a 
prerequisite to DNSSEC for zones it delegates to customers, as would be 
a mechanism for submitting DS records to HE.

The issue has been open for (almost) 12 years.  I haven't seen any 
updates from HE since the incoherent reply in the thread at 
https://forums.he.net/index.php?topic=890.msg22055#msg22055

It's rather difficult to exert pressure on a vendor that's providing a 
free service.   But enough polite requests might help.

Perhaps further discussion of this belongs elsewhere...it seems to be 
wandering from BIND.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220217/2a2c2c60/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220217/2a2c2c60/attachment.sig>